Skip to Content
Nemu Inc.
Access ControlπŸ” Access Control Policy

πŸ” Access Control Policy

1. Purpose

This document defines Nemu Inc.’s approach to managing logical access to systems and data, ensuring only authorized users can access what they need to perform their roles.

2. Scope

Applies to:

  • Internal tools, source code repositories, and monitoring platforms.

3. Access Management Principles

  • Least Privilege: Users receive the minimum access necessary for their role.
  • Need-to-Know: Access to Confidential data requires a demonstrated business need.
  • Role-Based Access Control (RBAC): Where supported by CSPs and tools, access is granted via roles and groups.

4. User Provisioning

  • New accounts are created based on role and function.
  • Access is approved by a manager or system owner.
  • CSP and internal tool accounts are linked to corporate identities where possible (e.g., Google Workspace SSO).

5. Access Review

  • Periodic access reviews are conducted for:
    • Supabase roles and database access.
    • Render service access and deployment permissions.
    • Google Workspace admin and group memberships.
  • Access not required is revoked.
  • User access reviews done annually.

6. Termination and Transfer

  • Upon separation or role change, user access is updated or removed following the separation handling process.
  • Shared secrets may be rotated when individuals with access leave critical roles.

7. Audit Evidence

  • Access review records (screenshots, spreadsheets, or tickets).
  • Provisioning/deprovisioning tickets or logs.

8. Compliance Mapping

  • SOC 2: CC6.2, CC6.3
  • ISO 27001:2013: A.9.1.1, A.9.2.1–A.9.2.6
Last updated on
Access ControlπŸ”‘ Password Policy